CVE-2018-18074 (High) detected in requests-v2.9.1 - autoclosed

[mend-bolt-for-github[bot]]

CVE-2018-18074 - High Severity Vulnerability

Vulnerable Library - requestsv2.9.1

A simple, yet elegant HTTP library.

Library home page: https://github.com/kennethreitz/requests.git

Found in HEAD commit: c8faca656439c1f8b6892f9b06aaeb3200af5c6e

Library Source Files (33)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

- /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/ssl_.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/utils.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/__init__.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/models.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/api.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/cookies.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/request.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/adapters.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/request.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/__init__.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/connection.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/retry.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/exceptions.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/response.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/hooks.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/sessions.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/auth.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/url.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/timeout.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/response.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/contrib/appengine.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/contrib/ntlmpool.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/poolmanager.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/contrib/pyopenssl.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/filepost.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/fields.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/exceptions.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/connection.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/status_codes.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/_collections.py - _depth_0/cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/util/__init__.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/__init__.py - /cSync/reference/pi3dscan/agisoft_python_requests/requests/packages/urllib3/connectionpool.py

Vulnerability Details

The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

Publish Date: 2018-10-09

URL: CVE-2018-18074

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-18074

Release Date: 2018-10-09

Fix Resolution: 2.20.0

---

Step up your Open Source Security Game with WhiteSource here

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.